With the addition of Group Policy Preferences, released with Server 2008 and newer, it is possible to easily and automatically deploy a Windows VPN client to domain joined computers. You might want to do so for a specific group of computers such as mobile users with notebooks.
- First, within the Active Directory Users and Computers console, create an OU in which you will place the computers to which you wish to deploy the VPN client. This would normally be a sub-OU of your Computers OU. For our Example I’ll call it Mobile Computers
- Next open the Group Policy Management console, locate the OU, right click on it and choose “Create a GPO in this Domain and Link it here”
- Name the new GPO
- Then right click on the new GPO and choose edit
- Browse to Computer configuration | Preferences | Control Panel Settings | right click on Network Options | choose New, VPN Connection
- Group Policy Preferences will allow you to create a PPTP or L2TP/IPSec connection, but not SSTP. For simplicity this will outline PPTP. Under the “New VPN properties” you will want to configure as follows:
- Action: I recommend “Replace”. If no connection exists on the client it will “Create” a new one and if you modify your policy, it will automatically replace the existing one.
- All Users connection. This is important if the user wants to connect the VPN before logon so that authentication can take place and policies and logon script be applied. For details see: Connect to a Windows VPN at Logon
- Connection Name: Can be anything you like and will be displayed under connections on the user’s PC
- Address: You can enter the IP or check the box “Use DNS name” and enter the public FQDN of your site
- Icon: I would also check the box “Show icon in notification area when connected” to allow the user to view the status of the VPN connection
- Next under Options there are no requirements to configure any features but you may wish to set redial attempts, idle time settings, or other options.
- Under Security choose Advanced, Use these other protocols, MS-Chap v2, the default protocol used with Server 2008 and newer
- Networking: Automatic is fine, but in a few cases folk have reported they needed to set this to PPTP
- Nothing needs to be configured under Common
- Click OK and your new Policy will be complete and appear in the list of Network Options
- The only remaining step is to run GPupdate /force on the client, while connected to the domain, or at some point reboot.
There is one other parameter you may wish to configure. When you manually create a VPN connection it automatically enables the “Use Remote Default Gateway” option. This is a security feature that blocks local network access while connected to the corporate network by VPN. For more information about the default gateway option please see Access local and VPN network Simultaneously . You cannot configure this within the policy we created above but you can using a different GP Preference and an .ini file. Peter Frederiksen has explained this nicely in the following TechNet forum: http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/f228d2ae-232d-4572-8eee-60252f6d03a3/
There are other ways to automatically create a VPN client:
Microsoft outlines doing so with Group Policy and an xml file in an article named; “Provisioning VPN client settings using Group Policy”
Using CMAK (Connection Manager Administration Kit) which has far more options and creates a more secure client in that clients cannot change some of the critical security settings, but it requires deploying the executable and asking the user to click on the .exe file to install